, 2005-07-29
As the outrage and accusations, the knee-jerk shootings (and the knee-jerk legislation) continues to make press following the explosions and attempted explosions in London, the last thing that many of us need is another example where a situation needs to be solved by ill-conceived legislation that is proposed and passed in the heat of something big. Unfortunately, this is exactly what is happening on both sides of the CardSystems credit card compromise debacle.
Expand all |
Post comment
1) There are still people in this industry who do not understand the difference between a vulnerability assessment and a penetration analysis. Unfortunately, many of these people have several security "certifications", and are prominent in the field.
2) Competent security services are obtained from competent security consultants and professionals, NOT from common carriers and automated testing tools. If you rely on Nessus to certify an e-commerce environment, you deserve what you are going to get (no offense to Nessus, which is a great product when used properly). There is no substitute for a hands-on assessment conducted by a truly competent security consultant. The companies that offer commoditized automated scanning services for Visa certification should be made to bear a significant portion of the blame for problems like this. Being able to re-format an NBE file to look professional does not mean that you are competent to conduct security assessments.
3) The Visa certification program is an absolute and total farce. This program is nothing more than a revenue generation tool for them, and has nothing at all to do with ensuring that organizations providing security assessment services are competent to do so. The Visa program only ensures that the "certified" security assessment providers can pay the fees. One need only look at the modifications Visa recently made to the "certification" program to see this. They've even jumped on the training bandwagon now...
4) I hit this one before, but automated testing processes CANNOT defend a site from hacker attack. The tools cannot be updated quickly enough, and relying on automated tools to substitute for real world knowledge delivers disastrous results.
5) Relying on worthless certifications to prove the competence of security consultants is dangerous, and at least partially responsible for most of this mess. The trend seems to be to make the certifications EASIER to get, and once again, certifying security consultants has become a revenue stream for certain companies. The companies offering these "certifications" don't even bother to hide what they are doing anymore.
6) Visa and CardSystems should share equally in the blame. Visa for certifying an incompetent organization to conduct security assessment (because they paid the fee), and CardSystems for utilizing a boneheaded security posture.
Since businesses prove every day that they are incapable of regulating themselves with regards to security and privacy, perhaps it IS time for some nice new legislation to deal with these issues. If companies continue to show that they will not spend money on competent security services unless forced to, then they should be forced to.
Sometimes, legislation IS the answer.
On the other hand, if CardServices had hired a competent consultant (and followed that consultant's advice) in the first place, this would never have happened.
Jamie
jpole@jcpa.com
[ reply ]
Link to this comment: http://www.securityfocus.com/comments/columns/343/32231#32231